Blog

ELF of the Month: New Lucky Ransomware Sample

News broke in late November 2018 about a ransomware variant dubbed Lucky Ransomware that targets both Linux and Windows platforms. A recent sample of the ransomware module was uploaded to VirusTotal in mid-December 2018 with some different characteristics than previously reported samples. In this month’s edition of ELF of the Month, we take a look at this new sample.

Lucky Ransomware Background

Lucky Ransomware was first reported by SANGFOR and NSFOCUS in late November and early December 2018. It is detailed as a variant of Satan ransomware and has both a Windows and Linux version. The malware is module in nature with three major components:

Propagation module

Ransomware module

Coinmining module

The malware attempts to propagate via scanning the local subnet for the following vulnerabilities:

In addition to this, the malware looks to crack weak passwords on Linux hosts.

The ransomware module encrypts files by file extension while whitelisting a number of directories. It names the files with the extension “.lucky” and leaves a ransom note in a file names “How_To_Decrypt_My_File”.

New Sample Details

On December 13th, 2018, a sample of the ransomware module was uploaded to VirusTotal. At the time of this writing it has been submitted 33 times by four submitters. This sample triggers 16 AV detections, two of which identify the sample as Lucky ransomware in the malware family name.

When this sample runs it does a couple things differently. First, it names the encrypted files differently:

“[nmare@protonmail.com]<filename>.<string>.nmare” as opposed to “[nmare@cock.li]<filename>.<string>.lucky”

Figure 1. File listing of encrypted files.

The ransom note is named “How_To_Decrypt_My_File” as opposed to “_How_To_Decrypt_My_File”.

The ransom note contains the same Bitcoin wallet address however the email address has been updated (same as the email in the encrypted filename).

Figure 2. Ransom note.

Additionally there is a new command and control IP, 111.90.141.104. Looking at the IP in VirusTotal you can see a number of URLs containing the modules associated with Lucky Ransomware.

Figure 3. Listing of scanned URLs associated with 111.90.141.104.

Conclusion

The command and control IP for this sample is still active. We expect to see more updates and new samples in the future. For preventative measures update vulnerabile versions of software that is targeted by the propagation module, block command and control infrastructure detailed in this blog and the referenced blogs, and ensure your systems have proper backups in the event of a ransomware infection.